General

  • Target

    4a2902958e01cc91f2e71736e0de83aa_JaffaCakes118

  • Size

    1.9MB

  • Sample

    240516-j5anzaca72

  • MD5

    4a2902958e01cc91f2e71736e0de83aa

  • SHA1

    dcd0b86a807feeb0aa8e1178961b2685fb5cb502

  • SHA256

    c826d112cbfa6ac5f2950113046c40a0aa00bc1595a0f2019d108df02b99b0a4

  • SHA512

    ba14483508d21b04f99f42f8e544af296d214569a1d0ef8bae173a6acbe84f3f5e14b6b637685b1dfd5a794b5473f7276a71d0ea039e9bdab64552b5064d3c35

  • SSDEEP

    49152:P+NJvFDhjAe+RVZWI1oLTXD3+s5RHj7KoLl+c733H:0Ch3tmLTL+szfKoZT33H

Malware Config

Targets

    • Target

      4a2902958e01cc91f2e71736e0de83aa_JaffaCakes118

    • Size

      1.9MB

    • MD5

      4a2902958e01cc91f2e71736e0de83aa

    • SHA1

      dcd0b86a807feeb0aa8e1178961b2685fb5cb502

    • SHA256

      c826d112cbfa6ac5f2950113046c40a0aa00bc1595a0f2019d108df02b99b0a4

    • SHA512

      ba14483508d21b04f99f42f8e544af296d214569a1d0ef8bae173a6acbe84f3f5e14b6b637685b1dfd5a794b5473f7276a71d0ea039e9bdab64552b5064d3c35

    • SSDEEP

      49152:P+NJvFDhjAe+RVZWI1oLTXD3+s5RHj7KoLl+c733H:0Ch3tmLTL+szfKoZT33H

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks